b"\xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0   U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n\xc2\xa0   OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\xc2\xa0\n\n\xc2\xa0\n\n\n\n    Fiscal Year 2011\n    Federal Information Security\n    Management Act Report\n    Status of EPA\xe2\x80\x99s Computer Security\n    Program\n\n    Report No. 12-P-0062                November 9, 2011\n\x0cReport Contributors:                               Rudolph M. Brevard\n                                                   Cheryl Reid\n                                                   Scott Sammons\n                                                   Christina Nelson\n                                                   Kyle Denning\n\n\n\n\nAbbreviations\n\nAPT           Advanced Persistent Threat\nBIA           Business Impact Analysis\nCA            Certification, Accreditation, and Security Assessments\nCIO           Chief Information Officer\nEPA           U.S. Environmental Protection Agency\nFDCC          Federal Desktop Core Configuration\nFIPS          Federal Information Processing Standards\nFISMA         Federal Information Security Management Act\nIT            Information Technology\nMOU           Memorandum of Understanding\nNIST          National Institute of Standards and Technology\nOCFO          Office of the Chief Financial Officer\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPIV           Personal Identity Verification\nPM            Program Management\nPOA&M         Plan of Action & Milestones\nRCRAInfo      Resource Conservation and Recovery Act Information System\nSP            Special Publication\nTT&E          Training, Testing, and Exercises\nUS-CERT       United States Computer Emergency Readiness Team\nUSGCB         United States Government Configuration Baseline\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                            THE INSPECTOR GENERAL\n\n\n\n\n                                       November 9, 2011\n\nMEMORANDUM\n\nSUBJECT:      Fiscal Year 2011 Federal Information Security Management Act Report:\n              Status of EPA\xe2\x80\x99s Computer Security Program\n              Report No. 12-P-0062\n\n\nFROM:         Arthur A. Elkins, Jr.\n              Inspector General\n\nTO:           Lisa P. Jackson\n              Administrator\n\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s) Fiscal Year 2011 Federal Information\nSecurity Management Act (FISMA) Reporting Template, as prescribed by the Office of\nManagement and Budget (OMB). We performed this review in accordance with generally\naccepted government auditing standards. These standards require the team to plan and perform\nthe review to obtain sufficient and appropriate evidence to provide a reasonable basis for the\nfindings and conclusions based on the objectives of the review.\n\nWe believe the evidence obtained provides a reasonable basis for our findings and conclusions,\nand in all material respects, meets the FISMA reporting requirements prescribed by OMB. In\naccordance with OMB reporting instructions, I am forwarding this report to you for submission,\nalong with the Agency\xe2\x80\x99s required information, to the Director of OMB.\n\nThe audit work performed during the FISMA review disclosed that the Agency needs to make\nsignificant improvements in the following programs: (1) Risk Management, (2) Plans of Action\n& Milestones, and (3) Continuous Monitoring Management.\n\nIn addition, audit work during fiscal year 2011 noted significant weaknesses with several\naspects of EPA\xe2\x80\x99s information security program. Appendix A summarizes the results from these\naudit reports.\n\x0cInspector General                               2011\n                                               Annual FISMA\n                                                  Report\nSection Report\n\n\n\n\n             Environmental Protection Agency\n\x0cSection 1: Risk Management\n1.b.     The Agency has established and is maintaining a risk management program. However, the Agency needs to make significant\n         improvements as noted below.\n                                    Comments:      We limited our review to evaluating whether EPA fully developed Risk Management policies and procedures\n                                                   compliant with NIST SP 800-37. While EPA developed Risk Assessment guidance, the Agency had not fully\n                                                   developed a Risk Management Framework consistent with the latest NIST guidance. As such, we did not evaluate\n                                                   all of the Risk Management areas within this section.\n        1.b(1).    Risk Management policy is not fully developed.\n                    Yes\n        1.b(2).    Risk Management procedures are not fully developed, sufficiently detailed (SP 800-37, SP 800-39, SP 800-53).\n                    Yes\n        1.b(3).    Risk Management procedures are not consistently implemented in accordance with government policies (SP 800-37, SP\n                   800-39, SP 800-53).\n                    No\n                                    Comments:      We did not evaluate this area.\n        1.b(4).    A Comprehensive governance structure and Agency-wide risk management strategy has not been fully developed in\n                   accordance with government policies (SP 800-37, SP 800-39, SP 800-53).\n                    No\n                                    Comments:      We did not evaluate this area.\n        1.b(5).    Risks from a mission and business process perspective are not addressed (SP 800-37, SP 800-39, SP 800-53).\n                    No\n                                    Comments:      We did not evaluate this area.\n        1.b(6).    Information systems are not properly categorized (FIPS 199/SP 800-60).\n                    No\n        1.b(7).    Appropriately tailored baseline security controls are not applied to information systems in accordance with government\n                   policies (FIPS 200/SP 800-53).\n                    No\n        1.b(8).    Risk assessments are not conducted in accordance with government policies (SP 800-30).\nOIG Report - Annual 2011                                                                                                                                    Page 1 of 11\n                                                                           For Official Use Only\n\x0cSection 1: Risk Management\n                    No\n                                     Comments:      We did not evaluate this area.\n        1.b(9).    Security control baselines are not appropriately tailored to individual information systems in accordance with government\n                   policies (SP 800-53).\n                    No\n        1.b(10).   The communication of information system specific risks, mission/business specific risks and organizational level (strategic)\n                   risks to appropriate levels of the organization is not in accordance with government policies.\n                    No\n                                     Comments:      We did not evaluate this area.\n        1.b(11).   The process to assess security control effectiveness is not in accordance with government policies (SP800-53A).\n                    No\n        1.b(12).   The process to determine risk to Agency operations, Agency assets, or individuals, or to authorize information systems to\n                   operate is not in accordance with government policies (SP 800-37).\n                    No\n                                     Comments:      We did not evaluate this area.\n        1.b(13).   The process to continuously monitor changes to information systems that may necessitate reassessment of control\n                   effectiveness is not in accordance with government policies (SP 800-37).\n                    No\n                                     Comments:      We did not evaluate this area.\n        1.b(14).   Security plan is not in accordance with government policies (SP 800-18, SP 800-37).\n                    No\n                                     Comments:      We did not evaluate this area.\n        1.b(15).   Security assessment report is not in accordance with government policies (SP 800-53A, SP 800-37).\n                    No\n                                     Comments:      We did not evaluate this area.\n        1.b(16).   Accreditation boundaries for Agency information systems are not defined in accordance with government policies.\n\nOIG Report - Annual 2011                                                                                                                          Page 2 of 11\n                                                                            For Official Use Only\n\x0cSection 1: Risk Management\n                    No\n                                     Comments:      We did not evaluate this area.\n        1.b(17).   Other\n                    No\n\nSection 2: Configuration Management\n2.a.     The Agency has established and is maintaining a security configuration management program that is consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines. Although improvement opportunities may have been identified by the\n         OIG, the program includes the following attributes:\n        2.a(1).    Documented policies and procedures for configuration management.\n                    Yes\n        2.a(2).    Standard baseline configurations defined.\n                    Yes\n        2.a(3).    Assessing for compliance with baseline configurations.\n                    Yes\n        2.a(4).    Process for timely, as specified in Agency policy or standards, remediation of scan result deviations.\n                    Yes\n        2.a(5).    For Windows-based components, FDCC/USGCB secure configuration settings fully implemented and any deviations from\n                   FDCC/USGCB baseline settings fully documented.\n                    Yes\n        2.a(6).    Documented proposed or actual changes to hardware and software configurations.\n                    Yes\n        2.a(7).    Process for timely and secure installation of software patches.\n                    Yes\n\nSection 3: Incident Response and Reporting\n3a.      The Agency has established and is maintaining an incident response and reporting program that is consistent with FISMA\nOIG Report - Annual 2011                                                                                                                Page 3 of 11\n                                                                            For Official Use Only\n\x0cSection 3: Incident Response and Reporting\n         requirements, OMB policy, and applicable NIST guidelines. Although improvement opportunities may have been identified by the\n         OIG, the program includes the following attributes:\n        3a(1).     Documented policies and procedures for detecting, responding to and reporting incidents.\n                    Yes\n        3a(2).     Comprehensive analysis, validation and documentation of incidents.\n                    Yes\n        3a(3).     When applicable, reports to US-CERT within established timeframes.\n                    Yes\n        3a(4).     When applicable, reports to law enforcement within established timeframes.\n                    Yes\n        3a(5).     Responds to and resolves incidents in a timely manner, as specified in Agency policy or standards, to minimize further\n                   damage.\n                    Yes\n        3a(6).     Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n                    Yes\n        3a(7).     Is capable of correlating incidents.\n                    Yes\n                                     Comments:       We are reviewing this area in a separate audit. We will issue our results in the final report during the third quarter of\n                                                     FY 2012.\n\nSection 4: Security Training\n4.a.     The Agency has established and is maintaining a security training program that is consistent with FISMA requirements, OMB policy,\n         and applicable NIST guidelines. Although improvement opportunities may have been identified by the OIG, the program includes the\n         following attributes:\n        4.a(1).    Documented policies and procedures for security awareness training.\n                    Yes\n\n\nOIG Report - Annual 2011                                                                                                                                                 Page 4 of 11\n                                                                             For Official Use Only\n\x0cSection 4: Security Training\n        4.a(2).    Documented policies and procedures for specialized training for users with significant information security responsibilities.\n                    Yes\n        4.a(3).    Security training content based on the organization and roles, as specified in Agency policy or standards.\n                    Yes\n        4.a(4).    Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and\n                   other Agency users) with access privileges that require security awareness training.\n                    Yes\n        4.a(5).    Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other\n                   Agency users) with significant information security responsibilities that require specialized training.\n                    Yes\n\nSection 5: POA&M\n5.b.     The Agency has established and is maintaining a POA&M program that tracks and remediates known information security\n         weaknesses. However, the Agency needs to make significant improvements as noted below.\n        5.b(1).    POA&M Policy is not fully developed.\n                    No\n        5.b(2).    POA&M procedures are not fully developed and sufficiently detailed.\n                    No\n        5.b(3).    POA&M procedures are not consistently implemented in accordance with government policies.\n                    No\n        5.b(4).    POA&Ms do not include security weaknesses discovered during assessments of security controls and requiring remediation.\n                   (OMB M-04-25).\n                    Yes\n                                     Comments:      While EPA creates POA&Ms during annual self-assessments, the Agency does not consistently create POA&Ms\n                                                    for security weaknesses discovered during internal reviews.\n        5.b(5).    Remediation actions do not sufficiently address weaknesses in accordance with government policies (NIST SP 800-53, Rev.\n                   3, Sect. 3.4 Monitoring Security Controls).\n\nOIG Report - Annual 2011                                                                                                                                 Page 5 of 11\n                                                                           For Official Use Only\n\x0cSection 5: POA&M\n                    No\n        5.b(6).    Source of security weaknesses are not tracked (OMB M-04-25).\n                    No\n        5.b(7).    Security weaknesses are not appropriately prioritized (OMB M-04-25).\n                    No\n        5.b(8).    Milestone dates are not adhered to. (OMB M-04-25).\n                    No\n        5.b(9).    Initial target remediation dates are frequently missed (OMB M-04-25).\n                    Yes\n                                    Comments:      20% of EPA's FY 2011 POA&Ms missed the initial target remediation date by 30 or more days.\n        5.b(10).   POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3, Control CA-5, and OMB M-04-25).\n                    No\n        5.b(11).   Costs associated with remediating weaknesses are not identified (NIST SP 800-53, Rev. 3, Control PM-3 and OMB\n                   M-04-25).\n                    No\n        5.b(12).   Agency CIO does not track and review POA&Ms (NIST SP 800-53, Rev. 3, Control CA-5, and OMB M-04-25).\n                    No\n        5.b(13).   Other\n                    No\n\nSection 6: Remote Access Management\n6.a.     The Agency has established and is maintaining a remote access program that is consistent with FISMA requirements, OMB policy,\n         and applicable NIST guidelines. Although improvement opportunities may have been identified by the OIG, the program includes the\n         following attributes:\n        6.a(1).    Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access.\n                    Yes\n\nOIG Report - Annual 2011                                                                                                                        Page 6 of 11\n                                                                         For Official Use Only\n\x0cSection 6: Remote Access Management\n        6.a(2).    Protects against unauthorized connections or subversion of authorized connections.\n                    Yes\n        6.a(3).    Users are uniquely identified and authenticated for all access.\n                    Yes\n        6.a(4).    If applicable, multi-factor authentication is required for remote access.\n                    Yes\n        6.a(5).    Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic authentication, including\n                   strength mechanisms.\n                    Yes\n        6.a(6).    Defines and implements encryption requirements for information transmitted across public networks.\n                    Yes\n        6.a(7).    Remote access sessions, in accordance to OMB M-07-16, are timed-out after 30 minutes of inactivity after which\n                   re-authentication are required.\n                    Yes\n\nSection 7: Identity and Access Management\n7.a.     The Agency has established and is maintaining an identity and access management program that is consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines and identifies users and network devices. Although improvement\n         opportunities may have been identified by the OIG, the program includes the following attributes:\n                                     Comments:      We did not evaluate this section because we are reviewing this area in a separate audit. We will issue our results in\n                                                    the final report during the second quarter of FY 2012.\n        7.a(1).    Documented policies and procedures for account and identity management.\n                    Yes\n        7.a(2).    Identifies all users, including federal employees, contractors, and others who access Agency systems.\n                    Yes\n        7.a(3).    Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n\n\nOIG Report - Annual 2011                                                                                                                                             Page 7 of 11\n                                                                            For Official Use Only\n\x0cSection 7: Identity and Access Management\n                    Yes\n        7.a(4).    If multi-factor authentication is in use, it is linked to the Agency's PIV program where appropriate.\n                    Yes\n        7.a(5).    Ensures that the users are granted access based on needs and separation of duties principles.\n                    Yes\n        7.a(6).    Identifies devices that are attached to the network and distinguishes these devices from users.\n                    Yes\n        7.a(7).    Ensures that accounts are terminated or deactivated once access is no longer required.\n                    Yes\n        7.a(8).    Identifies and controls use of shared accounts.\n                    Yes\n\nSection 8: Continuous Monitoring Management\n8.b.     The Agency has established an enterprise-wide continuous monitoring program that assesses the security state of information\n         systems. However, the Agency needs to make significant improvements as noted below.\n        8.b(1).    Continuous monitoring policy is not fully developed (NIST 800-53: CA-7).\n                    No\n        8.b(2).    Continuous monitoring procedures are not fully developed (NIST 800-53: CA-7).\n                    Yes\n        8.b(3).    Continuous monitoring procedures are not consistently implemented (NIST 800-53: CA-7; 800-37 Rev 1, Appendix G).\n                    No\n                                     Comments:      We did not evaluate this area.\n        8.b(4).    Strategy or plan has not been fully developed for enterprise-wide continuous monitoring (NIST 800-37 Rev 1, Appendix G).\n                    Yes\n        8.b(5).    Ongoing assessments of security controls (system-specific, hybrid, and common) have not been performed (NIST 800-53,\n\nOIG Report - Annual 2011                                                                                                                      Page 8 of 11\n                                                                            For Official Use Only\n\x0cSection 8: Continuous Monitoring Management\n                   NIST 800-53A).\n                    No\n        8.b(6).    The following were not provided to the authorizing official or other key system officials: security status reports covering\n                   continuous monitoring results, updates to security plans, security assessment reports, and POA&Ms (NIST 800-53, NIST\n                   800-53A).\n                    No\n        8.b(7).    Other\n                    No\n\nSection 9: Contingency Planning\n9.a.     The Agency established and is maintaining an enterprise-wide business continuity/disaster recovery program that is consistent with\n         FISMA requirements, OMB policy, and applicable NIST guidelines. Although improvement opportunities may have been identified by\n         the OIG, the program includes the following attributes:\n        9.a(1).    Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the\n                   impact of a disruptive event or disaster.\n                    Yes\n        9.a(2).    The Agency has performed an overall Business Impact Analysis (BIA).\n                    Yes\n        9.a(3).    Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures.\n                    Yes\n        9.a(4).    Testing of system specific contingency plans.\n                    Yes\n        9.a(5).    The documented business continuity and disaster recovery plans are in place and can be implemented when necessary.\n                    Yes\n        9.a(6).    Development of test, training, and exercise (TT&E) programs.\n                    Yes\n        9.a(7).    Performance of regular ongoing testing or exercising of business continuity/disaster recovery plans to determine effectiveness\nOIG Report - Annual 2011                                                                                                                            Page 9 of 11\n                                                                           For Official Use Only\n\x0cSection 9: Contingency Planning\n                   and to maintain current plans.\n                    Yes\n\nSection 10: Contractor Systems\n10.a.    The Agency has established and maintains a program to oversee systems operated on its behalf by contractors or other entities,\n         including Agency systems and services residing in the cloud external to the Agency. Although improvement opportunities may have\n         been identified by the OIG, the program includes the following attributes:\n        10.a(1).   Documented policies and procedures for information security oversight of systems operated on the Agency's behalf by\n                   contractors or other entities, including Agency systems and services residing in public cloud.\n                    Yes\n        10.a(2).   The Agency obtains sufficient assurance that security controls of such systems and services are effectively implemented and\n                   comply with federal and Agency guidelines.\n                    Yes\n        10.a(3).   A complete inventory of systems operated on the Agency's behalf by contractors or other entities, including Agency systems\n                   and services residing in public cloud.\n                    Yes\n        10.a(4).   The inventory identifies interfaces between these systems and Agency-operated systems.\n                    Yes\n        10.a(5).   The Agency requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for\n                   interfaces between these systems and those that it owns and operates.\n                    Yes\n        10.a(6).   The inventory of contractor systems is updated at least annually.\n                    Yes\n        10.a(7).   Systems that are owned or operated by contractors or entities, including Agency systems and services residing in public cloud,\n                   are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.\n                    Yes\n\nSection 11: Security Capital Planning\n11.a.    The Agency has established and maintains a security capital planning and investment program for information security. Although\nOIG Report - Annual 2011                                                                                                                            Page 10 of 11\n                                                                          For Official Use Only\n\x0cSection 11: Security Capital Planning\n         improvement opportunities may have been identified by the OIG, the program includes the following attributes:\n        11.a(1).   Documented policies and procedures to address information security in the capital planning and investment control process.\n                    Yes\n        11.a(2).   Includes information security requirements as part of the capital planning and investment process.\n                    Yes\n        11.a(3).   Establishes a discrete line item for information security in organizational programming and documentation.\n                    Yes\n        11.a(4).   Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required.\n                    Yes\n        11.a(5).   Ensures that information security resources are available for expenditure as planned.\n                    Yes\n\n\n\n\nOIG Report - Annual 2011                                                                                                                        Page 11 of 11\n                                                                         For Official Use Only\n\x0c                                                                                Appendix A\n\n            Summary of Significant Fiscal Year 2011\n                  Security Control Audits\nDuring fiscal year 2011, the EPA OIG published a number of audit reports on EPA\xe2\x80\x99s information\ntechnology security program and information systems. The following summarizes key findings:\n\n1. Region 9 Technical and Computer Room Security Vulnerabilities Increase Risk\n   to EPA's Network, Report No. 11-P-0725, September 30, 2011\n\n   The OIG\xe2\x80\x99s physical and environmental control review of the Region 9 computer room found\n   that sufficient protections were not in place to safeguard critical information technology\n   assets and associated data from the risk of damage and/or loss.\n\n2. EPA Has Taken Steps to Address Cyber Threats but Key Actions Remain\n   Incomplete, Report No. 11-P-0277, June 23, 2011\n\n   In association with an OIG investigation of Advanced Persistent Threats (APTs), the Agency\n   reported that over 7,800 of its systems had communicated with known hostile Internet\n   protocol addresses. These Agency systems potentially could have been compromised by\n   APTs due to these communications. We issued previous reports and made recommendations\n   that could help the Agency strengthen cyber security practices for combating APTs.\n   However, some of those recommendations remain unimplemented, and we continue to find\n   and report on similar weaknesses at other EPA locations. The Agency generally agreed with\n   all the recommendations.\n\n3. Improvements Needed in EPA\xe2\x80\x99s Network Traffic Management Practices,\n   Report No. 11-P-0159, March 14, 2011\n\n   The Office of Environmental Information (OEI) does not have consistent, repeatable\n   intrusion detection system monitoring practices in place, which inhibits EPA\xe2\x80\x99s ability to\n   monitor unusual network activity and thus protect Agency systems and associated data. OEI\n   has not documented a methodology to aid in making decisions about potentially unusual\n   network traffic and does not consistently conduct management oversight of contractor\n   performance and reporting. In addition, key federally required security documents for EPA\xe2\x80\x99s\n   Wide Area Network were not complete or accurate. The Agency agreed with our\n   recommendations.\n\n4. EPA Could Improve RCRAInfo Data Quality and System Development,\n   Report No. 11-P-0096, February 7, 2011\n\n   Resource Conservation and Recovery Act Information System (RCRAInfo) data that track\n   hazardous waste handlers and the shipment and receipt of hazardous waste contain errors and\n   are missing source documentation. These conditions call into question the quality and\n\x0c   reliability of data within the RCRAInfo system, as well as any resulting reporting. RCRAInfo\n   system owners did not follow the prescribed System Life Cycle Management testing\n   procedures to test and validate the updated software and updated system. Further, field work\n   found instances of test data comingled with production data. Overall, the above conditions\n   were caused by not having specific data quality procedures for RCRAInfo that align with the\n   Agency\xe2\x80\x99s data quality policy, not following the System Life Cycle Management procedures\n   for system development, and not adequately communicating with the states regarding the\n   RCRAInfo test environment. As required by the EPA quality policy, EPA organizations must\n   document and implement a quality program for environmental data that are intended for\n   external distribution.\n\n5. Improvements Needed in EPA\xe2\x80\x99s Efforts to Replace Its Core Financial System,\n   Report No. 11-P-0019, November 29, 2010\n\n   The Office of the Chief Financial Officer\xe2\x80\x99s (OCFO\xe2\x80\x99s) management control processes do not\n   ensure compliance with EPA\xe2\x80\x99s Systems Life Cycle Management policies and procedures.\n   EPA\xe2\x80\x99s system development policies and procedures identify specific activities and\n   documents required during a system development project. However, OCFO\xe2\x80\x99s internal control\n   environment does not enforce these policies and procedures. OCFO proceeded with the\n   design subphase of the system project without obtaining executive management approval of\n   the updated system requirements or developing and obtaining the required approval of test\n   plans to ensure the system will meet Agency needs. Further, OCFO did not predetermine the\n   acceptable product acceptance test script failure percentages to be used as the basis for\n   management\xe2\x80\x99s go/no-go decision to proceed with using the evaluated product. The Agency\n   agreed with all recommendations.\n\n6. Technical Vulnerability Assessments\n\n   As part of the fiscal year 2011 FISMA audit, the OIG issued a series of network vulnerability\n   reports to EPA offices to address high-risk and medium-risk vulnerabilities. The OIG met\n   with EPA information security personnel to discuss the findings. If not resolved, these\n   vulnerabilities could expose EPA\xe2\x80\x99s assets to unauthorized access and potentially harm the\n   Agency\xe2\x80\x99s network. The first report listed below also appears as number 1 above, because it\n   reported on our review of Region 9\xe2\x80\x99s physical and environmental controls as well as the\n   results of our technical vulnerability assessment.\n\n      \xef\x82\xb7   Region 9 Technical and Computer Room Security Vulnerabilities Increase Risk to\n          EPA\xe2\x80\x99s Network, Report No. 11-P-0725, September 30, 2011\n      \xef\x82\xb7   Results of Technical Vulnerability Assessment: EPA\xe2\x80\x99s Directory Service System\n          Authentication and Authorization Servers, Report No. 11-P-0597, September 9, 2011\n      \xef\x82\xb7   Results of Technical Network Vulnerability Assessment: EPA\xe2\x80\x99s National Health &\n          Environment Effect Research Laboratory, Western Ecology Division, Report No. 11-\n          P-0429, August 3, 2011\n\x0c                                                                                Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nSenior Agency Information Security Officer, Office of Environmental Information\nDirector, Technology and Information Security Staff, Office of Environmental Information\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Information\nAudit Follow-Up Coordinator, Office of Environmental Information\n\x0c"